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FISMA 2.0: Toward lower risk, faster patching 

& higher ROI 



Nature of Attacks 

80% of attacks leverage known vulnerabilities and configuration 
management setting weaknesses 



Tickets 



Threats Increasing 

2% 5% 

Tickets 

Year Tickets 



2008 2104 



2009 3085 



+6000 * 

2010 

projected 



* 3000 by June 2010 

Case Study: 

• Scan every 2-7* days 

• Find & Fix Top Issues Daily 

• Personal results graded 

• Hold managers responsible 

How: 1. Narrow Aim 




How: 1. Narrow Aim 



CAG 
ID 


Consensus Audit Guideline 


NIST-800-53 


US CERT Report 


1 


Inventory of authorized and 
unauthorized hardware 


CM-l, CM-2,CM-3, 
CM-4,CM-5, 
(. PVI-o, (_ M-y 


[ll months before Feb 09] 

+ 6% 


2 


Inventory of authorized 
and unauthorized software 


C M-l, C M-2, C M-3, C M-5, C M-7, 
CM-8,CM-9, SA-7 


+ 22% 


5 


Boundary Defense 


AC-17, RA-5, SC-7, SI-4 


+ 7% 


Q 


Controlled access based on 
need to know 


Af-1 Af-2 AC -3 Af-fi AC -13 


1 % 


12 


Anti-malware 
defenses 


AC -3, AC-4, AC -6, AC-17, AC -19, 
AC-20, AT-2, AT-3, C M-5, MA-3, 
MA-4, MA-5, MP-2, MP-4, PE-3, 

PE-4, PL-4, PS-6, RA-5, SA-7, 
SA-12, SA-13, SC-3, SC-7, SC-11, 
SC-20, SC-21, SC-22,SC-23, 
SC-25,SC-26, SC-27,SC-29, 
SC-30, SC-31, SI-3, SI-8 


+ 60% 



5 



2. Bad things by Numbers 



2. Bad things by Numbers 



Littering vs. Chemical Dumping 




LA. Hotel Pays a 

$200,000 fine 

because an employee dumps 
pool chemicals into a drain 
fumes fill a subway station 

--several people become ill 

March 23, 2010 



6 

Cube and Divide by 100 



Cube and Divide by 100 



Risk 

Component Score 


Aug/ 
Host 


Score How Component is Calculated Cube and Divide b V 100 

J L 


VI II . Vulnprahilitv ■ K 


Q47 n 




3 0 


10.9 % From .1 for the lowest risk vulnerability to 10 for the highest risk vulnerability \a 


DAT . Dafph 
rnl - rwlLl 1 


firnn 

WJ.U 




1.9 


6.9 % From 3 for each missing "Low" patch to 10 for each missing "Critical" patch 


>=> 


fi 181 3 




19.5 


71.2% 


From .9 for each failed Application Log check to .43 for each failed Group 

hilprfihpr^hiri rhprV 

li ldlUJCI wl l\\J LI ICL J\ 


AVR - Anti-Virus 


u.u 




0.0 


0.0% 


6 per day for each signature file older than 6 days 


^OF - ^OF Pnrrmliflnrp 

jvL ■ OvL ^■JlllfJHali^C 


1150 

1 IsJ.U 




0.4 


1.3% 


5 for each missing or incorrect version of an SOE component 


ADC - AD Computers 


26.0 




0.1 


0.3% 


1 per day for each day the AD computer password age exceeds 35 days 


ADU- AD Users 


222.0 




0.7 


2.6% 


1 per day for each account that does not require a smart-card and whose 
password age > 60, plus 5 additional if the password never expires 


SMS - SMS Reporting 


230.0 




0.7 


2.6% 


1 00 + 1 0 per day for each host not reporting completely to SMS 


VUR- Vulnerability 
Reporting 


84.0 




0.3 


1.0% 


After a host has no scans for 1 5 consecutive days, 5 + 1 per 7 additional days 


SCR - Security Compliance 
Reporting 


279.0 
<^ 


1 


0.9 


3.2% 


After a host has no scans for 30 consecutive days, 5 + 1 per 1 5 additional days 


Total Risk Score 8,687.1 


27.4 


100.0% 


For additional infor 
suspected false pa 


mation 
>itives, 


on Risk Scoring, assistance with remediations, or to report 
contact the U Service Center to open a "Risk Score" ticket. 



Calculate Grades A+ to F - 



Risk Score Advisor 

3. Calculate tirades A+ to I- - 



Hosts 


317 


Average Risk Score 


27.4 


Risk Level Grade 


A + 


Rank in Enterprise 


163 of 438 


Rank in Region 


16 of 48 



At Least 


Less Than Grade 


0 0 


40.0 


A+ 


40.0 


75.0 


A 


75.0 


110.0 


B 


110.0 


180.0 


c 


180.0 


280.0 


D 


280.0 


400.0 


F 


400 0 







Risk Score Profile 
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Results First 12 Months 



Results First 12 Months 



Personal Computers and Servers 




90% 
Reduction 



E/V2M1 7/21/2M1 9/9pW» U/29/2M1 12/U/2M1 2/SpmS 3/29/2M S/17/2MB 7/S/2MS V2S/2 



Risk Scoring in 2nd Year 
Operation Aurora Attack 



Call a Problem 40x Worse 



I 



to 
a. 



100% 



'J0% 



00 8096 

M 

.£ 70% 



0 

Q. 

OJ 



O 
OJ 

-Q 



50% 



40% 



30% 



— 20% 
Q. 
Q. 
< 



10% 



ON 



D% 



Date 



Operation A urora A ttack 




Risk scoring moves State Dept 

from 20- 85% patched 
in six (6) days: April 3 -9,2010 



2-Apr 4-Apr 



6-Apr 8-Apr 10-Apr 12-Apr 14-Apr 16-Apr 



ii 



Efficiency is Repeatable & Sustained 



Efficiency is Repeatable & Sustained 



100°o 



90% 



■ON 



70°e 



60°o 



50°o 



40°., 



30°o 



20°o 



1096 



0% 




■Expected Value (Base cl on all reporting 
machines) 

■Lower Bound (Assumes all non-reporting 
machines are non-compliant) 



MS10-042- August 2010 
Percent of applicable devices patched 



when charging 40 points 
0 - 84% in seven (7) days 
0-93% in 30 days 
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Risk Score Monitor Enterprise 



Risk Score Monitor Enterprise 




1/3 of Remaining Risk Removed 



1/3 of Remaining Risk Removed 
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[Year 2: PCs/Servers] 
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Year 2 PCs and Servers 




Benefit of Continuous Attention 
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Benefit of Continuous Attention 
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More Risk Measured 
Risk Problems Fixed 
Projected 
Poly. (Projected) 



If corrective 
action stopped 
how quickly 
would risk 
accumulate? 















-<».«■/ *s, 


Wn* 



5/17/2009 7/6/2009 8/25/2009 10/14/2009 12/3/2009 1/22/2010 3/13/2010 5/2/2010 6/21/2010 8/10/2010 

Axis Title 



Lessons Learned 

• When continuous monitoring augments snapshots required by FISMA: 

- Mobilizing to lower risk is feasible & fast (11 mo) 

- Changes in 24 time zones with no direct contact 

- Cost: 15 FTE above technical management base 

• This approach leverages the wider workforce 

• Security culture gains are grounded in fairness, commitment and personal accountability for improvement 



Next Steps 

Not Just a Snapshot 



JsC&A Not Just a Snapshot 

Continuous C&A Process will provide more effective 
real-time security - not just a snapshot in time 



Continuous C&A Process 
System Security Plan 




Continuous C&A Pilots 

a. Inventory of Authorized Assets (CAG 1/2) 

b. Configuration and Vulnerability Monitoring 
(CAG 3/4/10/12/13) 

a. SCAP Content (automated & non-automated testing) 

b. Boundary Defense (CAG 5/14) 

c. Situational Awareness and Threat Analysis 

d. Applications (CAG 7) 

e. Access Controls (CAG 6/8/9/11) 

f. Data Loss Protection (CAG 15) 



Risk 



RISK 

-( Vulnerabilities 





Threat 












r \ 

Impact 
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Conclusions 

• Scalable to large complex public and private sector organizations 

• Higher ROI for continuous monitoring of technical controls as a substitute for paper reports 

• Summarized risk estimates could be fed to enterprise level reporting 



Continuous C&A Pilots 



Continuous C&A Pilots 

A. Inventory of Authorized Assets (CAG 1-2) 



Quick Wins 


Long Term Strategy 


CAG 1: Use existing network tools 
(Campus Manager) to identify new 
devices to check against authorized 
inventory 

♦ Requiresimplementingthese tools, 
network-wide. 


Refine the quick-win strategy. 
Maturingoversight processes. 
Implement Nctwork-Access-Control 
(NAC, as feasible). 


CAG 2: Use Windows Add-Remove 
Programs to identify software on 
Windows devices to check against 
authorized inventory. 

Use CCB and standard images for 
approved ARP entries. 

MapARPto CPEsfor FISMA reporting 


Use authoritative white-listing too Is for 

binaryobject level control. 
Maturingoversight processes. 



B. r- 
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Continuous C&A Pilots 



B. Configuration/Vulnerability Management 

CAG 3-4-10-12-13 



Quick Wins 


Long Term Strategy 


CAG 3/12: Continuecurrcnt practices 
of scanning all Windows Devices. 


Find more graceful way to manage 
transition between CM versions. 
Maturing oversight processes 


CAG 4/10/13: Coverall network devices 
not covered by CAG 3 (Windows 
devices) using existing scanning tools. 


Add scanning tools that may be needed 
beyond those currently available. 

Expand configuration standardsto 
cover more device types. 

Use SCAP to define all configuration 
standards 

Maturing oversight processes 
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Continuous C&A Pilots 

C. SCAP Content 



Quick Wins 


Long Term Strategy 


Adoptand modify community SCAP 
contcntto cover as many needs as 
possible. 


Find more graceful way to manage 
transition between CM versions. 
Maturingoversight processes. 


Develop SCAP content and prototype =: 
toolsto include covering: c 

♦ Al 1 test policy (including manual | 
testing) % 

♦ Configuration guides « 

♦ SSP Control Lists 

♦ Test plans ° 

♦ Test specifications for sensors £ 

♦ Test Results o 

♦ POA&M Tracking 


Develop a community tool to efficiently 
write and display SCAP to support all 
functions listed on the left. 

Expand SCAP content to fully cover 
policy needs. 

Maturingoversight processes. 

Supports all CAG areas! ! 



Continuous C&A Pilots 

D. Boundary Defense (CAG 5/14) 



Quick Wins 


Long Term Strategy 


Get firewall rules undersituational 

awareness tool oversight. 
Monitorfor wireless access points, and 

remove from the network. 


Model impact of changes to FW rules 
priorto changes and assess impact. 

Formally sunset all firewall rule 

exceptions, and require re-approval 
to continue. 

Implementinternal segmentation of 
the network to reduce risks of threat 
by insiders and successful intruders. 

Maturingoversight processes. 



Continuous C&A Pilots 

E. Situational Awareness and Threat Analysis 



Quick Wins 


Long Term Strategy 


Situational Awareness: Conduct pilots 
to identify attackpaths using GOTS 
toolsand find ways to block attacks 
on parts of the network. 


Using lessons learned from quick wins, 
expand to the full network, using a 
COTS tool, if appropriate. 

Use capability to refine risk scoring and 
inform the DAA decision process. 

Maturingoversight processes. 


Threat Analysis: 

♦ Continuecurrent practices. 

♦ Use Existing Threat Analysis 
capability to refine risk scoring. 

♦ Use DHS penctrationteam on any 
system late for C&A. 


Find ways to refine these practices. 
Use to inform the DAA decision 

process. 
Maturingoversight processes. 
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Continuous C&A Pilots 

F. Applications (CAG 7) 



Quick Wins 



Expand use of existing monitoringto 
cover GSS support for each system. 

Pilottools (in the areas specified by 
CAG) to identify utility of these tests. 

• Code Reviews (common 
weakness) 

• Web Application Scanning 

• DB Scanning 

• I/O Data Filtering 
Establish OCILchccklists for critical 

pointsin the acquisition- 
development lifecyclc 



Long Term Strategy 



Place piloted tools into general 
production, at least by system 
integration test, and preferably 
sooner. 

Build security into the acquisition- 
development lifecycles. 

Trainingacquisition- 

staff/developers/ownersin security 
management. 

Maturingoversight processes. 
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Continuous C&A Pilots 

G. Access Controls (6/8/9/11) 



Quick Wins 



Automated identification of accounts 
with elevated privileges and increase 
scoring of weaknesses on those 
accountin proportionto the level of 
privileges. 

Make the full impact of access control 
lists transparent. 

Explore log data-miningtools. 

Identify rules to highlightsignificant 
events and eliminate "white noise". 



Long Term Strategy 



Reverse engineer roles that explain 

current access patterns based on 

user attributes. 
Find anomalies given those rules and 

investigate as suspicious. 
Identify refined rules to identify and 

highlight unusual access, eliminating 

"white noise". 
Maturingoversight processes. 



